Postfix

OpenDKIM 未簽名但沒有錯誤

  • October 15, 2020

我已經在 ubuntu 16.04 主機上設置了帶有後綴的 opendkim (2.10)。根據日誌,一切都很好(即沒有錯誤),但郵件沒有被簽名。我可以看到 postfix 正在向 OpenDKIM 傳遞消息(因為我停止了 opendkim,postfix 抱怨它不存在),但我對 OpenDKIM 本身沒有可見性。

這是我得到的配置:

opendkim.conf:

Canonicalization        relaxed/relaxed
ExternalIgnoreList      refile:/etc/opendkim/TrustedHosts
InternalHosts           refile:/etc/opendkim/TrustedHosts
KeyTable                refile:/etc/opendkim/KeyTable
LogWhy                  Yes
MinimumKeyBits          1024
Mode                    sv
PidFile                 /var/run/opendkim/opendkim.pid
SigningTable            refile:/etc/opendkim/SigningTable
# Must agree with value in /etc/default/opendkim.                                                               
Socket                  inet:8891@localhost
## Postfix puts itself in a chroot jail and can't see this in the                                               
## default location.  So just use TCP.                                                                          
# Socket                  local:/var/run/opendkim/opendkim.sock                                                 
Syslog                  Yes
SyslogSuccess           Yes
TemporaryDirectory      /var/tmp
UMask                   022
UserID                  opendkim:opendkim

# Always oversign From (sign using actual From and a null From to prevent malicious                             
# signatures header fields (From and/or others) between the signer and the verifier)                            
OversignHeaders         From

# Hashing Algorithm                                                                                             
SignatureAlgorithm      rsa-sha256

# Auto restart when the failure occurs. CAUTION: This may cause a tight fork loops                              
AutoRestart             Yes

鍵表:

nantes-1.p27.eu   p27.eu:mail:/etc/opendkim/p27.eu.key

簽名表:

*@p27.eu                 nantes-1.p27.eu
*@transport-nantes.com   nantes-1.p27.eu

受信任的主機:

127.0.0.1

後綴/main.cf:

# [...]

# OpenDKIM                                                                                                      
smtpd_milters           = inet:127.0.0.1:8891
non_smtpd_milters       = $smtpd_milters
milter_default_action   = accept
# Postfix v3 so milter protocol 6 and not 2.
milter_protocol         = 6
# There was a time, at least, when "auth_type" was not passed by default.
# I've not been able to determine if this still matters or not.
milter_mail_macros="i {mail_addr} {client_addr} {client_name} {auth_type} {auth_authen}"

測試:

發送郵件不會導致日誌中出現錯誤,但該郵件未經過 dkim 簽名。當我在本地測試時,我看到了:

[T] jeff@nantes-1:~ $ opendkim-testkey -d p27.eu -s mail -vvvv
opendkim-testkey: using default configfile /etc/opendkim.conf
opendkim-testkey: checking key 'mail._domainkey.p27.eu'
opendkim-testkey: key not secure
opendkim-testkey: key OK
[T] jeff@nantes-1:~ $ opendkim-testkey -d transport-nantes.com -s mail -vvv
opendkim-testkey: using default configfile /etc/opendkim.conf
opendkim-testkey: checking key 'mail._domainkey.transport-nantes.com'
opendkim-testkey: key not secure
opendkim-testkey: key OK
[T] jeff@nantes-1:~ $ 

有什麼建議我做錯了什麼或如何進一步調試?

附錄:解決方案

ubuntu 16.04 OpenDKIM 解決方案由此產生了 OpenDKIM:

/usr/sbin/opendkim -x /etc/opendkim.conf -u opendkim -P /var/run/opendkim/ope dkim.pid -p inet:8891@localhost

解決方案是/etc/opendkim.conf而不是/etc/opendkim/opendkim.conf. (在某處我讀過/etc/opendkim/opendkim.conf,正確或不正確,我永遠都讀過一樣。)

ubuntu 16.04 OpenDKIM 解決方案由此產生了 OpenDKIM:

/usr/sbin/opendkim -x /etc/opendkim.conf -u opendkim \
   -P /var/run/opendkim/ope dkim.pid -p inet:8891@localhost

解決方案是使用 /etc/opendkim.conf 而不是 /etc/opendkim/opendkim.conf。(在某個地方,我會正確或錯誤地閱讀 /etc/opendkim/opendkim.conf,而我在閱讀後永遠都一樣。)

換句話說,這是人類大腦中的一個已知錯誤(看到靠近右邊的東西,此後每次都看到相同的東西)和 OpenDKIM 的一個奇怪的約定違反(通常是創建一個子目錄/etc/而不是直接放置文件in /etc/,特別是如果您以後需要更多文件時)。

引用自:https://serverfault.com/questions/1038579